Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Thursday, March 25, 2010

PacketForensics - Something Smells Funny...

No doubt by now you've seen the story on Wired's "Threat Level" segment on Packet Forensics titled "Law Enforcement Applicance Subverts SSL"? I won't re-iterate what was written in the story, you can read it yourself but this is what captured my interest:

"At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania."

Of course, I wanted to know more. I wanted to talk to those Packet Forensics folks myself! Well, apparently that's a lot tougher than you'd think.

First off, I tried calling several times during business hours to their Tempe, AZ office and got a "Press 1 for sales, 2 for technical support" ...when I pressed 1 for "sales" I got a message system asking me to leave a message and someone would call me back. Pressing 2 for "support" got me a live support person who was kind enough to tell me that if I wasn't a current customer I'd need to buzz off. Hrmm...

1 comment:

I can't imagine that they'd go through the effort to get the actual cert used by the org they're spoofing. It's far easier to have a trusted CA in the box that generates whatever cert it needs on the fly.

Remember, SSL certs don't guarantee who you're talking to - only that someone "vouched" that they are who they said they are, and that it's encrypted. The trust in SSL comes from the CA, not the cert holder.

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.